Project Description
Running a web browser from your PC can cause all sorts of security or anonymity issues; e-g: content downloaded could be run automatically from your PC, resulting in disk encryption or other unpleasant events. It would be great if we could run most of this in a container so that we have as much of the web browser sandboxed, and limit the PC's exposure to security events.
So, we want to be able to run a sandboxed Firefox web browser inside a container. The web browser should [obviously] share the PC's display and provide sound. It should behave as if the browser was installed on the PC.
Goal for this Hackweek
Run a fully sandboxed Firefox web browser, on a PC that doesn't have Firefox installed.
Resources
- https://en.wikipedia.org/wiki/DirectRenderingInfrastructure
Looking for hackers with the skills:
This project is part of:
Hack Week 22
Comments
-
over 2 years ago by dfaggioli | Reply
Sounds interesting. Tools like toolbox (https://github.com/openSUSE/microos-toolbox) and distrobox (https://github.com/89luca89/distrobox) achieve something like that. In fact, they do achieve the goal of running a browser (as well as pretty much any GUI app) from inside a container. They, however, are not meant for providing strong isolation (if any real "strong" isolation can even be provided with containers), so a lot of the host is shared inside of the container.
This, of course, can be changed/restricted. Those project are not really interested in turning themselves into strong sandboxing solutions, but maybe they can be looked up, to take inspiration.
For more information, see: https://github.com/89luca89/distrobox/issues/28 and/or: https://github.com/openSUSE/microos-toolbox/blob/master/toolbox#L197
Note also that there are other similar tools (like Silverblue tlbox, written in Go instead than in bash), that it could be interesting to check.
-
over 2 years ago by nguyens | Reply
Thanks a lot Dario! It worked out with a few tweaks to provide access to the X server and the DRI device files.
-
about 2 years ago by dfaggioli | Reply
Mmm... Cool and interesting! Can I ask you which tricks?
-
over 1 year ago by nguyens | Reply
Sorry, I missed your reply... Didn't see or get any notification.
Here is the command line to run the firefox container in a podman container:
sudo podman run -it --rm -u steph \ -e DISPLAY=$DISPLAY -e XAUTHORITY=$XAUTHORITY \ -v /dev/dri:/dev/dri \ -v /tmp/.X11-unix:/tmp/.X11-unix \ -v /run/user/1000/gdm:/run/user/1000/gdm \ -v /run/user/1000/pulse:/var/run/pulse \ -v ${DOWNLOAD_DIR}:/home/steph/Downloads \ ${IMAGE} firefox
All the DISPLAY, XAUTHORITY stuff allows you to access your X server from the container. Mounting /dev/dri will support the direct rendering interface, avoiding the costly RPC calls.
-
-
Similar Projects
This project is one of its kind!